Premade Powershell Scripts to cleanup AD

Andrew N. Kowtalo
Andrew N. Kowtalo used Ask the Experts™
Does anyone have pre-designed powershell scripts I can run on Server 2012 R2 to do AD cleanup?  I would like to cleanup old accounts machines OU's and groups.   I found some power shell scripts on Microsofts site but they just open prompt a message really quick that I cant read and close.  I just need a general cleanup Thank you.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Infrastructure Architect
Hello Andrew,

On the stale computer objects - I would suggest you to use the below script.

However, instead of removing it in one shot - Give it in multiple batches until you get better confidence.
If the enviornment was not having any cleanup done, I would suggest the below approach.

1) Identify the computer objects which are not logged into the domain for the last one year.
2) Keep them disabled and move it to a separate OU
3) Don't delete the disabled account immediately. Keep a cooling period of 30 days and get them deleted.

In the second iteration after completing step 3,
4) Identify the computer objects which are not logged into the domain for the last six months
5) Keep them disabled and move it to a separate OU
6) Give 30 days cooling period and delete them

I would suggest to adjust the script to filter the computer objects based on Operating system. This can be easily done along with Get-AdComputer commendlet by adding one more condition inside the filter.
For example

Get-ADComputer -Property Name,Enabled -Filter {"Enabled -eq $False" -AND OperatingSystem -like "Windows 8*"}

The second objective is to cleanup the stale group. This includes two aspects.
1) Security Groups
2) Distribution Lists

For Security Groups - We dont have any option to confirm that its used somewhere. Hence, the only option is to identify groups without any members and get them deleted. You can use the below script for that.

For Distribution Lists, Identify from the messaging system if any emails are getting delivered to that group. You should consider that some email admins may use DLs to get rid of some unwanted emails getting generated from thirdparty systems or external parties. To drop them without NDR, an empty group might be in use.

On any scripts which was created by someone else - I strongly recommend to understand the logic before running it on production system.

Hope that helps !

Happy New Year.

Andrew N. KowtaloSupport Center Engineer


Shabarinath Ramadasan thank you so much for your most excellent feed back.   This helped a TON!  I wish every response I get here in EE was exactly like this.  

I will perform these tasks and let you know how it goes.   Happy New Year and Thank you!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial